Auto-update flake.lock (#563) #1310
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI & Deploy | |
| on: | |
| push: | |
| workflow_dispatch: | |
| inputs: | |
| skip_deploy: | |
| description: 'Skip deployment step' | |
| required: false | |
| type: boolean | |
| default: false | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| format-check: | |
| uses: shinbunbun/nix-ci-workflows/.github/workflows/format-check.yaml@main | |
| discover-targets: | |
| uses: shinbunbun/nix-ci-workflows/.github/workflows/discover-targets.yaml@main | |
| # メインビルド | |
| build-nixos: | |
| needs: [format-check, discover-targets] | |
| if: needs.discover-targets.outputs.has-nixos == 'true' | |
| strategy: | |
| matrix: ${{ fromJSON(needs.discover-targets.outputs.nixos-matrix) }} | |
| uses: shinbunbun/nix-ci-workflows/.github/workflows/build-nix.yaml@main | |
| with: | |
| runner: ubuntu-latest | |
| build-target: ".#nixosConfigurations.${{ matrix.configuration }}.config.system.build.toplevel" | |
| result-name: ${{ matrix.configuration }} | |
| needs-sops: true | |
| needs-wireguard: true | |
| attic-server: 'http://192.168.1.3:8080' | |
| secrets: | |
| AUTHENTIK_CLIENT_ID: ${{ secrets.AUTHENTIK_CLIENT_ID }} | |
| ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }} | |
| ATTIC_READ_TOKEN: ${{ secrets.ATTIC_READ_TOKEN }} | |
| SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }} | |
| build-darwin: | |
| needs: [format-check, discover-targets] | |
| if: needs.discover-targets.outputs.has-darwin == 'true' | |
| strategy: | |
| matrix: ${{ fromJSON(needs.discover-targets.outputs.darwin-matrix) }} | |
| uses: shinbunbun/nix-ci-workflows/.github/workflows/build-nix.yaml@main | |
| with: | |
| runner: macos-latest | |
| build-target: ".#darwinConfigurations.${{ matrix.configuration }}.config.system.build.toplevel" | |
| result-name: ${{ matrix.configuration }} | |
| needs-sops: true | |
| needs-wireguard: true | |
| attic-server: 'http://192.168.1.3:8080' | |
| secrets: | |
| AUTHENTIK_CLIENT_ID: ${{ secrets.AUTHENTIK_CLIENT_ID }} | |
| ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }} | |
| ATTIC_READ_TOKEN: ${{ secrets.ATTIC_READ_TOKEN }} | |
| SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }} | |
| build-devshell: | |
| needs: format-check | |
| uses: shinbunbun/nix-ci-workflows/.github/workflows/build-nix.yaml@main | |
| with: | |
| runner: ubuntu-latest | |
| build-target: ".#devShells.x86_64-linux.default" | |
| result-name: devshell | |
| needs-wireguard: true | |
| attic-server: 'http://192.168.1.3:8080' | |
| secrets: | |
| AUTHENTIK_CLIENT_ID: ${{ secrets.AUTHENTIK_CLIENT_ID }} | |
| ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }} | |
| ATTIC_READ_TOKEN: ${{ secrets.ATTIC_READ_TOKEN }} | |
| notify-build-complete: | |
| name: Notify build completion | |
| needs: [build-nixos, build-darwin] | |
| runs-on: ubuntu-latest | |
| if: (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/fix/deploy') && github.event_name == 'push' && !inputs.skip_deploy | |
| steps: | |
| - name: Send Discord notification | |
| run: | | |
| curl -X POST "${{ secrets.DISCORD_WEBHOOK_URL }}" \ | |
| -H "Content-Type: application/json" \ | |
| -d "{ | |
| \"content\": \"✅ ビルド完了\\n\\n**デプロイ承認待ち**\\nhttps://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}\\n\\nデプロイを開始するには、上記リンクから \`Deploy to NixOS\` ジョブを承認してください。\" | |
| }" | |
| deploy-nixos: | |
| name: Deploy to NixOS | |
| needs: [build-nixos, notify-build-complete] | |
| if: (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/fix/deploy') && github.event_name == 'push' && !inputs.skip_deploy | |
| uses: shinbunbun/nix-ci-workflows/.github/workflows/deploy-nix.yaml@main | |
| with: | |
| environment: production | |
| deploy-target: ".#homeMachine" | |
| ssh-hostname: homemachine | |
| ssh-host: "192.168.1.3" | |
| needs-sops: true | |
| secrets: | |
| AUTHENTIK_CLIENT_ID: ${{ secrets.AUTHENTIK_CLIENT_ID }} | |
| ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }} | |
| ATTIC_READ_TOKEN: ${{ secrets.ATTIC_READ_TOKEN }} | |
| DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }} | |
| DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} | |
| SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }} | |
| deploy-macmini: | |
| name: Deploy to macmini | |
| needs: [build-darwin, notify-build-complete] | |
| if: (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/fix/deploy') && github.event_name == 'push' && !inputs.skip_deploy | |
| uses: shinbunbun/nix-ci-workflows/.github/workflows/deploy-nix.yaml@main | |
| with: | |
| environment: production | |
| deploy-target: ".#macmini" | |
| ssh-hostname: macmini | |
| ssh-host: "192.168.1.5" | |
| ssh-port: '22' | |
| ssh-user: 'deploy' | |
| needs-sops: true | |
| needs-wireguard: true | |
| secrets: | |
| AUTHENTIK_CLIENT_ID: ${{ secrets.AUTHENTIK_CLIENT_ID }} | |
| ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }} | |
| ATTIC_READ_TOKEN: ${{ secrets.ATTIC_READ_TOKEN }} | |
| DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }} | |
| DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} | |
| SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }} | |
| deploy-g3pro: | |
| name: Deploy to g3pro | |
| needs: [build-nixos, notify-build-complete] | |
| if: (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/fix/deploy') && github.event_name == 'push' && !inputs.skip_deploy | |
| uses: shinbunbun/nix-ci-workflows/.github/workflows/deploy-nix.yaml@main | |
| with: | |
| environment: production | |
| deploy-target: ".#g3pro" | |
| ssh-hostname: g3pro | |
| ssh-host: "192.168.1.6" | |
| needs-sops: true | |
| secrets: | |
| AUTHENTIK_CLIENT_ID: ${{ secrets.AUTHENTIK_CLIENT_ID }} | |
| ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }} | |
| ATTIC_READ_TOKEN: ${{ secrets.ATTIC_READ_TOKEN }} | |
| DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }} | |
| DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} | |
| SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }} |